Use user specific NSSDatabase in CertLoader.

chromeos/cert_loader.cc

Index: chromeos/cert_loader.cc
diff --git a/chromeos/cert_loader.cc b/chromeos/cert_loader.cc
index 70e49819d0840705d1a5c2b65e0f5e93612f2e5f..4a3e7f203123223cc0e99053399cff179db7a055 100644
--- a/chromeos/cert_loader.cc
+++ b/chromeos/cert_loader.cc
@@ -8,11 +8,13 @@
 
 #include "base/bind.h"
 #include "base/location.h"
+#include "base/sequenced_task_runner.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/task_runner_util.h"
 #include "base/threading/worker_pool.h"
 #include "crypto/nss_util.h"
 #include "net/cert/nss_cert_database.h"
+#include "net/cert/nss_cert_database_chromeos.h"
 #include "net/cert/x509_certificate.h"
 
 namespace chromeos {
@@ -58,37 +60,15 @@ CertLoader::CertLoader()
       certificates_loaded_(false),
       certificates_update_required_(false),
       certificates_update_running_(false),
+      database_(NULL),
       tpm_token_slot_id_(-1),
+      is_hardware_backed_(false),
+      hardware_backed_for_test_(false),
       weak_factory_(this) {
-  if (TPMTokenLoader::IsInitialized())
-    TPMTokenLoader::Get()->AddObserver(this);
-}
-
-void CertLoader::SetSlowTaskRunnerForTest(
-    const scoped_refptr<base::TaskRunner>& task_runner) {
-  slow_task_runner_for_test_ = task_runner;
 }
 
 CertLoader::~CertLoader() {
   net::CertDatabase::GetInstance()->RemoveObserver(this);
-  if (TPMTokenLoader::IsInitialized())
-    TPMTokenLoader::Get()->RemoveObserver(this);
-}
-
-void CertLoader::AddObserver(CertLoader::Observer* observer) {
-  observers_.AddObserver(observer);
-}
-
-void CertLoader::RemoveObserver(CertLoader::Observer* observer) {
-  observers_.RemoveObserver(observer);
-}
-
-bool CertLoader::IsHardwareBacked() const {
-  return !tpm_token_name_.empty();
-}
-
-bool CertLoader::CertificatesLoading() const {
-  return certificates_requested_ && !certificates_loaded_;
 }
 
 // This is copied from chrome/common/net/x509_certificate_model_nss.cc.
@@ -120,13 +100,48 @@ std::string CertLoader::GetPkcs11IdForCert(const net::X509Certificate& cert) {
   return pkcs11_id;
 }
 
-void CertLoader::RequestCertificates() {
+void CertLoader::SetSlowTaskRunnerForTest(

[pneubeck (no reviews), 2014/01/24 13:18:02]

nit:
If you already reorder the definitions, could you match it with the declaration
order?
Although it would be preferable to save all reordering for a separate CL.

[tbarzic, 2014/01/25 00:26:27]

Done.

+    const scoped_refptr<base::TaskRunner>& task_runner) {
+  slow_task_runner_for_test_ = task_runner;
+}
+
+void CertLoader::AddObserver(CertLoader::Observer* observer) {
+  observers_.AddObserver(observer);
+}
+
+void CertLoader::RemoveObserver(CertLoader::Observer* observer) {
+  observers_.RemoveObserver(observer);
+}
+
+bool CertLoader::IsCertificateHardwareBacked(
+    const net::X509Certificate* cert) const {
+  if (!database_ || !cert)

[pneubeck (no reviews), 2014/01/24 13:18:02]

DCHECK(cert) (or let it crash in IsHardwareBacked below) instead of return false
?

[tbarzic, 2014/01/25 00:26:27]

Done.

+    return false;
+  return database_->IsHardwareBacked(cert);
+}
+
+bool CertLoader::CertificatesLoading() const {
+  return certificates_requested_ && !certificates_loaded_;
+}
+
+void CertLoader::StartWithNSSDB(net::NSSCertDatabase* database) {
   if (certificates_requested_)

[pneubeck (no reviews), 2014/01/24 13:18:02]

this shouldn't be called more than once anymore, right?
then it should return silently and instead only CHECK(!database_);

all other occurrences of certificates_requested_ can be replaced by database_
and the former be removed.

[tbarzic, 2014/01/25 00:26:27]

Done.

     return;
   certificates_requested_ = true;
 
-  DCHECK(!certificates_loaded_ && !certificates_update_running_);
+  CHECK(database);

[pneubeck (no reviews), 2014/01/24 13:18:02]

nit: not necessary, will crash anyways below.

[tbarzic, 2014/01/25 00:26:27]

Done.

+  CHECK(!database_);
+
+  database_ = database;
+  tpm_token_slot_id_ =

[pneubeck (no reviews), 2014/01/24 13:18:02]

Has to be cached? Why not calculate every time?

[tbarzic, 2014/01/25 00:26:27]

Done.

+      static_cast<int>(PK11_GetSlotID(database_->GetPrivateSlot().get()));
+
+  is_hardware_backed_ = hardware_backed_for_test_ ||

[pneubeck (no reviews), 2014/01/24 13:18:02]

hardware_backed_for_test_ can only switch is_hardware_backed_ from false to
true.
Maybe rename it to "force_hardware_backed_for_test_" ?

Does this value even have to be cached? Why not calculate every time?

[tbarzic, 2014/01/25 00:26:27]

Done.

+                        PK11_IsHW(database_->GetPrivateSlot().get());
+
+  // Start observing cert database for changes.
   net::CertDatabase::GetInstance()->AddObserver(this);
+
   LoadCertificates();
 }
 
@@ -149,7 +164,11 @@ void CertLoader::LoadCertificates() {
   task_runner->PostTaskAndReply(
       FROM_HERE,
       base::Bind(LoadNSSCertificates,
-                 net::NSSCertDatabase::GetInstance(),
+                 // Create a copy of the database so it can be used on the
+                 // worker pool.

[pneubeck (no reviews), 2014/01/24 13:18:02]

if you plan to change this, please add a TODO

[tbarzic, 2014/01/25 00:26:27]

Done.

+                 base::Owned(new net::NSSCertDatabaseChromeOS(
+                     database_->GetPublicSlot(),
+                     database_->GetPrivateSlot())),
                  cert_list),
       base::Bind(&CertLoader::UpdateCertificates,
                  weak_factory_.GetWeakPtr(),
@@ -195,15 +214,4 @@ void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
   LoadCertificates();
 }
 
-void CertLoader::OnTPMTokenReady(const std::string& tpm_user_pin,
-                                 const std::string& tpm_token_name,
-                                 int tpm_token_slot_id) {
-  tpm_user_pin_ = tpm_user_pin;
-  tpm_token_name_ = tpm_token_name;
-  tpm_token_slot_id_ = tpm_token_slot_id;
-
-  VLOG(1) << "TPM token ready.";
-  RequestCertificates();
-}
-
 }  // namespace chromeos